Dr. Drew Harris (@drewaharris) is a consultant and professor of population health and health policy at Thomas Jefferson University in Philadelphia.

Everyone leaves behind a long and detailed digital trail. As more health data moves online, we can expect personal health information to constitute an ever-increasing proportion of this data trove. Some of this information is entered into medical records by health-care providers—notes, lab results, etc.—but there’s also patient-generated health data from the devices we wear, the information we enter into online systems and the genetic testing we order.

All of which raises a difficult but crucial policy challenge: How do we make the most of our health information while respecting personal preferences, privacy and transparency?

Our digital lives are fragmented because health data is stored in mostly incompatible systems—for now. Doctors use separate electronic health records; fitness app data is posted in the cloud; pharmacies and insurers keep discrete data repositories; and family health history and social-network records are in entirely different databases. Imagine the insights we could learn if all this data were in one place.

Aggregating the data is not enough. The tools and techniques necessary to turn vast quantities of raw information into action plans are hard to master. Data scientists and analysts with the requisite skills to do this work are in great demand. Communicating results in a comprehensible form that will inform personal choices is a challenge. Essentially, we’re data rich and insight poor.

Assuming we achieve the blissful state of integrated and harmonized personal health information—what then? Recent revelations about Facebook and Cambridge Analytica’s misuse of sensitive personal information highlight the downside to storing all our digital eggs in one basket. The value of this individualized insight to a marketer—or rogue actor—is huge. The American Health Information Management Association has American Health Information Management Association has published a list of patient’s data rights, but this only covers what happens in the clinical setting. We need to protect health information wherever it lives. We need some rules of the road for the health data superhighway. Here is what I would suggest:

First, let’s make it clear that we as individuals own our health data. Our doctors, hospitals, employers, insurers and health-app companies may generate and store this data, but if it describes us, it is ours. The information contained in Henrietta Lacks’ tumor (HeLa) cells saved countless lives, but they were her cells and she or her family should have been asked for permission first. The organizations that collect and store our health data should respect our right to control its use.

We need to know that our health data is safe and secure. Under existing law (HIPAA), health-care entities must ensure our records are protected and only shared when authorized. Despite significant financial penalties, breaches occur with frightening frequency. Also, HIPAA doesn’t cover social-media or patient-support websites where we also post sensitive health information, the devices that capture health data, or records of our health-related retail purchases. This information can reveal much about our health and should be protected as well.

We need to recognize that the value of all this data is not just for individual care. Population health research can benefit from accessing this “real-world evidence.” It isn’t unreasonable to assume that the cure for many diseases lies in the collected health records of millions of patients. We just need to go find it. Legitimate health researchers should be granted access to our de-identified—stripped of identifiable information—health records. What’s more, anyone who abuses the privacy mandate or uses the data for unauthorized purposes must go to jail. Security must be the highest priority because maintaining trust in the purity of the process should be sacrosanct

The public should be able to financially benefit from the use of the health data. While it would be impossible to know whose health data led to a cure for cancer or a new way to prevent diabetes, we can be certain that a company will make a profit from the patented discovery. We, the public, should get some return on our collective data investment through mandatory licensing or patent ownership. The proceeds from these arrangements would be dedicated to further medical research by federal agencies like NIH; similar to how polluters help pay for environmental cleanup through the EPA Superfund program.

The volume of health data is expanding at greater than exponential rates. It’s time for public policy to catch up.